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IN THE CLAIMS 




[original] A method for securely communicating packets between a first computer 
deWe and a second computer device through a packet-switched data transmission 
network comprising intermediate computer devices, where at least one of said computer 
devices performs a network address translation and/or a protocol conversion, the 
method comprising the steps of 

- determining what network address translations, if any, occur on packets transmitted 
between the first computer device and the second computer device, 

- taking packets conforming to a first protocol and encapsulating them into packets 
conforming to a second\rotocol, which second protocol is capable of traversing 
network address translations, 

- transmitting said packets conforming to said second protocol from the first computer 
device to the second computer device and 

- decapsulating said transmitted packfc^s conforming to said second protocol into packets 
conforming to said first protocol. 




2. [original] A method according to claim 1 , ^herein the step of taking packets 
conforming to a first protocol and encapsulating th\m into packets conforming to a 
second protocol comprises the substeps of 

- taking packets conforming to the Internet Protocol, 

- processing said packets according to the IPSEC protocolViite and 

- encapsulating the processed packets into packets conforming to the User Datagram 
Protocol. 
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3\[original] A method according to claim 1 , wherein the step of taking packets 
confirming to a first protocol and encapsulating them into packets conforming to a 
seconii protocol comprises the substeps of 

- taking packets conforming to the Internet Protocol, 

- processing said packets according to the IPSEC protocol suite and 

- encapsulating the processed packets into packets conforming to the Transmission 
Control Protocol. 

4. [original] A method according to claim 1 , further comprising the step of 
compensating for theXnetwork address translations on said second protocol in the 
packets that are transmitted from the first computer device to the second computer 
device. \ 

5. [original] A method accorehng to claim 4, wherein said step of compensating for the 
network address translations corrtorises a step of performing address translation based 
on the information obtained in the step of determining what network address translations, 
if any, occur on packets transmitted ofetween the first computer device and the second 
computer device. \ 

6. [original] A method according to claim fe, wherein said step of compensating for the 
network address translations further comprised a step of performing port number 
translation based on the information obtained in Vie step of determining what network 
address translations, if any, occur on packets transmitted between the first computer 
device and the second computer device. \ 
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7. \original] A method according to claim 1 , additionally comprising the step of 
periodically transmitting keepalive packets between the first computer device and the 
seconcNcomputer device to ensure that the network address translations, if any, 
occurringNpn packets transmitted between the first computer device and the second 
computer device stay the same. 

8. [original] A method for conditionally setting up a secure communication connection 
between a first computer device and a second computer device through a 
packet-switched date transmission network comprising intermediate computer devices, 
where at least one orsaid computer devices performs a network address translation 
and/or a protocol conversion, the method comprising the steps of 

- finding out, whether or nV the second computer device supports a communication 
method where: it is determined what network address translations, if any, occur on 
packets transmitted between tke first computer device and the second computer device; 
packets are taken that conform tot a first protocol and encapsulated into packets that 
conform to a second protocol, whidh second protocol is capable of traversing network 
address translations; said packets conforming to said second protocol are transmitted 
from the first computer device to the second computer device; and said transmitted 
packets conforming to said second protocol are decapsulated into packets conforming to 
said first protocol, \ 

- as a response to a finding indicating that theysecond computer device supports said 
communication method, setting up a secure communication connection between the first 
computer device and the second computer devicain which communication connection 
said communication method is employed and \ 

- as a response to a finding indicating that the seconckcomputer device does not support 
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said\x)mmunication method, disabling the use of said communication method between the 
first anid the second computer devices. 

9. [originalK A method for tunnelling packets between a first computer device and a 
second computer device through a packet-switched data transmission network 
comprising intermediate computer devices, where at least one of said computer devices 
performs a network address translation and/or a protocol conversion, the method 
comprising the stepfe of 

- establishing a bidirectional tunnelling mode between the first computer device and the 
second computer device\by exchanging packets conforming to a secure communication 
protocol, \ 

- taking packets conforming tea a first protocol and encapsulating them at the first 
computer device into packets conforming to a second protocol, which second protocol is 
capable of traversing network address translations, 

- transmitting said packets conforming to said second protocol from the first computer 
device to the second computer device\ 

- decapsulating said transmitted packetsVconforming to said second protocol into packets 
conforming to said first protocol at the seebnd computer device, 

- obtaining information about the address translations occurred on packets transmitted 
between the first computer device and the second computer device and 

- using said obtained information to modify the established bidirectional tunnelling mode 
between the first computer device and the second computer device. 



10. [original] A method according to claim 9, wherein the step of obtaining information 
about the address translations occurred on packets transmitted between the first 
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computer device and the second computer device comprises the substeps of 

- transmitting a packet between the first computer device and the second computer 
deviceAsaid packet comprising a header part and a payload part, and 

- comparing a network address transmitted in said payload part to a network address 
transmitted in said header part in order to find out what changes have occurred on said 
network address transmitted in said header part. 

1 1 . [original] AVnethod according to claim 9, additionally comprising the step of 
periodically transmitting keepalive packets between the first computer device and the 
second computer device to ensure that the network address translations, if any, 
occurring on packets itensmitted between the first computer device and the second 
computer device stay thk same. 

12. [original] A method according to claim 9, wherein the step of using said obtained 
information to modify the operation of the tunnelling of packets comprises the substep of 
introducing an address translation before the encapsulation of packets in order to 
compensate for the network address translations that occur on packets transmitted 
between the first computer device afod the second computer device. 

13. [original] A method according to claim 9, wherein the step of using said obtained 
information to modify the operation of theVmnelling of packets comprises the substep of 
introducing an address translation after theWecapsulation of packets in order to 
compensate for the network address translations that occur on packets transmitted 
between the first computer device and the second computer device. 
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14. Voriginal] A method for tunnelling packets between a first computer device and a 
second computer device through a packet-switched data transmission network 
comprising intermediate computer devices, in which data transmission network there 
exists a security protocol comprising a key management connection that employs a 
specific packet format for key management packets, the method comprising the steps of 

- encapsulatingvdata packets that are not key management packets into said specific 
packet format fonkey management packets, 

- transmitting said data packets encapsulated into the specific packet format from the first 
computer device to tne second computer device, 

- discriminating at the second computer device the data packets encapsulated into the 
specific packet format from actual key management packets and 

- decapsulating the data packets encapsulated into the specific packet format. 

15. [original] A method according to claim 14, wherein the step of encapsulating data 
packets that are not key management packets comprises the substeps of 

- encapsulating data packets that me not key management packets into a key 
management packet format specifieayby the Internet Key Exchange protocol which 
defines a certain Initiator Cookie field alod 

- inserting into the Initiator Cookie field oXan encapsulated data packet a value indicating 
that the encapsulated packet is a data packet and not a key management packet. 

16. [original] A method for securely communicating packets between a first computer 
device and a second computer device througma packet-switched data transmission 
network comprising intermediate computer devices, where at least one of said computer 
devices performs a network address translation and/or a protocol conversion and where 
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a security protocol exists comprising a key management connection, the method 
comprising the steps of 

- for determining what network address translations, if any, occur on packets transmitted 
between the Vst computer device and the second computer device: establishing a key 
management connection according to said security protocol between the first computer 
device and the second computer device; composing an indicator packet with a header 
part and a payload \art of which both comprise the network addresses of the first 
computer device and the second computer device as seen by the node composing said 
packet; transmitting andVeceiving said indicator packet within the key management 
connection; and comparing! in the received indicator packet the addresses contained in 
the header part and the payraad part, and 

- using the information concerning the determined occurrences of network address 
translations to securely communicating packets between the first computer device and 
the second computer device. \ 

17. [original] A method according to claim 16, wherein the security protocol determines 
a standard port number for a key management connection, and the method further 
comprises the step of comparing in the received indicator packet a source port number 
against said standard port number for a keyVnanagement connection. 

18. [original] A method for securely communicating packets between a first computer 
device and a second computer device through aypacket-switched data transmission 
network comprising intermediate computer devices, where at least one of said computer 
devices performs a network address translation and/or a protocol conversion; where a 
security protocol is acknowledged which determinesitransport-mode processing of 
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packet^vfor transmission and reception; and where a high-level protocol checksum has 
been determined for checking the integrity of received packets, the method comprising 
the steps m 

- at the first computer device, performing transport-mode processing for packets to be 
transmitted to tne second computer device, 

- at the second computer device, performing transport-mode processing for packets 
received from the fltst computer device, said transport-mode processing comprising the 
decapsulation of received packets and 

- at the second computW device, updating the high-level protocol checksum for 
decapsulated packets fo\compensating for changes, if any, caused by network address 
translations. 

19. [original] A method according to claim 18, wherein 

- the step of performing transportVnode processing at the first computer device for 
packets transmitted to the second cbmputer device takes the form of performing 
transport-mode processing as determiioed in the IPSEC protocol suite, and 

- the step of performing transport-mode\processing at the second computer device for 
packets received from the first computer ilevice takes the form of performing 
transport-mode processing as determined imthe IPSEC protocol suite. 

20. [original] A method according to claim 18, Additionally comprising the steps of 

- at the first computer device, after performing traraport-mode processing for a packet to 
be transmitted to the second computer device, encapsulating the processed packet into a 
packet conforming to a certain second protocol, whicl\second protocol is capable of 
traversing network address translations and 
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ythe second computer device, before performing transport-mode processing for a 
packet received from the first computer device, decapsulating the received packet from 
the packet conforming to said second protocol and replacing a number of network 
addresses\jn the decapsulated packet with a corresponding number of network 
addresses ta\en from the received packet before decapsulation. 

21 . [original] A rWhod according to claim 18, wherein the step of updating the 
high-level protocol checksum takes the form of recomputing the checksum for the 
transport-mode-processed packets. 

22. [original] A method according to claim 18, wherein the method additionally 
comprises the step of obtaining\information about the network addresses of the first and 
second computer devices before >and after network address translations, and the step of 
updating the high-level protocol checksum takes the form of incrementally updating the 
checksum based on the obtained information about the network addresses of the first 
and second computer devices before and after network address translations. 

23. [original] A method for maintaining the unchanged form of address translations 
performed by network address translation devices on encapsulated actual data packets 
transmitted with certain address information between a first computer device and a 
second computer device through a packet-switched\flata transmission network, the 
method comprising the step of 

- forcing at least one of the first computer device and th^\second computer device to 
transmit to the other computer device keepalive packets with address information 
identical to that of actual data packets at a high enough frequency so that network 
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